Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Freezing with Trojan-Downloaders


  • Please log in to reply
7 replies to this topic

#1 ImaNoobie

ImaNoobie

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 July 2009 - 01:29 PM

Hello, I am an employee at a dental office. One of the receptionist's computer is experiencing Trojan softwares and frequent freezing problems. The computer uses Windows XP Professional and Internet Explorer as its browser. The computer is used for dental office softwares and for researching insurance details on the Internet. When the computer starts, after the login screen, the following error windows appear.

Posted Image
Posted Image
Posted Image

Malwarebytes' Anti-Malware is already installed on the computer. However, it would not start up despite multiple attempts.

The free version of Spyware Doctor is installed after the appearance of the freezing problems, and found the following spywares.

Posted Image

Internet Explorer is also experiencing problems. Not only Google searches are slow, but also clicking on links opens a window either linking to advertisements or to a blank page with this message,

Welcome to the MIVA DLL. Please enjoy your stay.
Initialization errors: 0


with an URL similar to this

http://204.137.28.195/bin/findwhat.dll?clickthroughy=52593x=1ZEJg6mkAsVK1apaET9Z54VbiTxZb7FmACEgEgsln2VXTCEnl47iICFmylE:5Tqv96IyQgSmsayKe4ZyylZSpaEYDtI0EN9LNiaIEJE4TNxqTCITslLLM2IQ5Hr;ABsIeTZdTtPA5aZrLarGDgIYt7bspcP2AlxqQCaguct0b4LwbcFFyJIzbufG3

The computer also freezes, and the freezing happens randomly. Sometimes Internet Explorer is running, while sometimes no programs are running at all.

The computer is vital to continuing providing quality service to our patients. We appreciate any help Beeping Computer and its staff and members can provide. Thank you!

Edited by ImaNoobie, 10 July 2009 - 01:49 PM.


BC AdBot (Login to Remove)

 


#2 ImaNoobie

ImaNoobie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 July 2009 - 01:39 PM

The computer also can not create a restore point. It asks for a restart. However, it still does not work after restarts.

Also, the computer frequently freezes before showing the login screen. The computer must be restarted manually.

We value any help available. Thank you!

Edited by ImaNoobie, 10 July 2009 - 01:55 PM.


#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:13 AM

Posted 10 July 2009 - 02:06 PM

Let's see if a renamed MBAM will run

Here's a random renamer for the program if you can get it installed

http://kixhelp.com/wr/files/mb/randmbam.exe

Here's a link for MBAM definition update

http://www.gt500.org/malwarebytes/database.jsp
Chewy

No. Try not. Do... or do not. There is no try.

#4 ImaNoobie

ImaNoobie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 July 2009 - 05:40 PM

Thanks for the quick reply. I was able to run MBAM with your programs at the links you gave me.

This is the log for the full scan:

Malwarebytes' Anti-Malware 1.37
Database version: 2353
Windows 5.1.2600 Service Pack 3

7/10/2009 12:43:11 PM
mbam-log-2009-07-10 (12-43-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 128831
Time elapsed: 11 minute(s), 2 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 18
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 24

Memory Processes Infected:
C:\WINDOWS\Fonts\services.exe (Worm.Archive) -> Unloaded process successfully.

Memory Modules Infected:
c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Delete on reboot.
c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msncache (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcmstub (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vmwareapp.vmware (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vmwareapp.vmware.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\net (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cognac (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\i (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mms (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\exec (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.bat\(default) (Hijacked.BatFile) -> Bad: (csfile) Good: (batfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.com\(default) (Hijacked.ComFile) -> Bad: (csfile) Good: (comfile) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\.exe\(default) (Hijacked.exeFile) -> Bad: (csfile) Good: (exefile) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\msncache.dll (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\system32\net.net (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\bucksnet.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\dailybucks_install.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\prun.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\administrator\local settings\Temp\ydt7jidryhtmksxhsetjhsrtjr44.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\all users\application data\17930624\17930624.exe (Rogue.Installer) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\pcmstub.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\txpxr_102349699465.b1k (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\FInstall.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tpsaxyd.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\Local Settings\Temp\rasesnet.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Fonts\services.exe (Worm.Archive) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{783AF354-B514-42d6-970E-3E8BF0A5279C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\Local Settings\Temp\defender32.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msbihsj.exe (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wiawow32.sys (Backdoor.Bot) -> Quarantined and deleted successfully.
c:\documents and settings\Administrator\Local Settings\Temp\db.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


However, after I tried to remove all, MBAM alerts that couple threats can not be removed, as shown below:

Posted Image

I restarted the computer to run MBAM again; after numerous attempts to at least arrive at the Windows desktop becaues of crashing, MBAM can still not get rid of the virus softwares. The computer freezes more frequently, and it has been irritating my co-workers. Thanks for the help so far though! What do you recommend I do now?

#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:13 AM

Posted 10 July 2009 - 06:24 PM

Several of the identified infections are rootkits/backdoor trojans.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Edited by DaChew, 10 July 2009 - 06:24 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:13 AM

Posted 10 July 2009 - 06:30 PM

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Use this guide to follow

http://www.malwarebytes.org/forums/index.php?showtopic=12709

The file you will be looking for will be named uacxxxxxx.sys

Follow the instructions to wipe, reboot and run MBAM(quick scan), post both logs please

Edited by DaChew, 10 July 2009 - 06:30 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#7 ImaNoobie

ImaNoobie
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:13 PM

Posted 10 July 2009 - 06:53 PM

Thank you again for the quick reply, Mr. DaChew.

The manager of the dental office has contacted another professional computer technican in our local area, and has ordered a full reformat and re-install of the OS system as you have suggested. Do you still recommend the RootRepeal procedure still be followed?

Thank you again for your help! If only we can afford you tokens of our gratitude at our dental office...

#8 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:13 AM

Posted 10 July 2009 - 07:44 PM

Just leave the machine off, if you have to use it then procede with rootrepeal
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users